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DETAILED ACTION 

1 . Applicant's request for reconsideration of the finality of the rejection of the last 
Office action is persuasive and, therefore, the finality of that action is withdrawn. 

2. Claims 1, 2, 4-12, 14-20, 22, and 24-34 are pending and have been examined. 

Response to Arguments 

3. Applicant's arguments with respect to claims 1 , 2, 4-1 2, 1 4-20, 22, and 24-34 
have been considered but are moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 103 

4. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

5. Claims 1, 2, 5, 6, 8-12, 14-16, 18-20, 22, 24-26 and 28-34 are rejected under 35 
U.S.C. 1 03(a) as being unpatentable over Cowie et al. US 2003/0023865 A1 , Atkinson, 
US 5,892,904, and Pierre Richer: SANS/GIAC Practical Assignment for GSEC 
Certification Version 1.4b: Steganalysis: Detecting hidden information with computer 
forensic analysis, SANS Institute 2003 (Submitted with the Applicant's IDS). 
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As for claim 1 , Cowie teaches a method, comprising, obtaining a signature by reading 
code comprising a partial section of a program, (fig. 5: element 18, [0015], [0034], 
[0048]) comparing the signature with one or more computer files (fig. 5: element 18, 
[0015], [0034], [0048]), and, displaying a listing of which of the one or more computer- 
files provide a match with the signature (fig. 6 element 46, [0050]). Cowie does not 
teach that the code read is executable code. However Atkinson does teach this feature 
(col. 7 line 23 through col. 8 line 22). Therefore it would have been obvious to one of 
ordinary skill in the art at the time the invention was made to incorporate this feature of 
Atkinson into the system of Cowie. It would have been obvious to do so since this 
would increase the probability of detecting hidden malware code in a file. Cowie fails to 
teach the feature where the computer-program is a steganographic program configured 
to introduce steganographic items into a computer file. . However Richer does teach 
such a feature (page 4: Tools Used to Hide Information, page 6: Detecting Hidden 
Information With Various Resources: 1.) Guidance Software Inc. where comparisons of 
an original file MD5 hash is made with a MD5 hash of a suspect file in order to detect 
steganographically embedded data). Therefore it would have been obvious to one of 
ordinary skill in the art at the time the invention was made to incorporate this feature 
into the system of Cowie. It would have been obvious to do so since this would extend 
the types of programs that can be evaluated for embedded malware detectable via the 
comparison step of Cowie. 
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As for claim 2, Cowie teaches a method according to claim 1 wherein the 
indication incorporates an identification of the item's location in the computer system 
([0048] - [0050]). 

As for claim 5, Cowie teaches a method according to claim 1, where an asserted 
file type is ignored when comparing files with the signature ([0048], [0050]: non WIN32 
PE files excluded). 

As for claim 6, Cowie teaches a method according to claim 1 wherein the step of 
comparing the signature with files is for each file preceded by checking the respective 
real file type by reading the start of the file and excluding files having prearranged initial 
byte sequences from comparing with the signature (fig. 6 element 32, [0049]: initial byte 
sequence is used to determine if file is a WIN32 PE file and if not, exclude it from further 
processing). 

As for claim 9, Cowie teaches a method according to claim 1 wherein the one or 
more computer files comprise self-extracting executable files ([0006]). 

As for claim 10, Cowie teaches a method according to claim 1 wherein some 
prearranged files are not identified in the listing despite containing code which matches 
a signature ([0050]). 
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As for claims 1 1 , the claim is directed towards the apparatus carrying out the 
method of claims 1 . Claim 1 1 recites substantially the same limitations as claims 1 and 
therefore is rejected on the same basis as that claim. 

As for claim 12, Cowie teaches a method according to claim 1 wherein the 
indication incorporates an identification of the matching signature ([0048] - [0050]). 

As for claim 14, Cowie teaches the apparatus according to claim 1 1 where the 
code of the signature comprises a continuous sequence of the partial section of the 
program code (fig. 5: element 18, [0015], [0034], [0048]). 

Claim 15 represents the apparatus carrying out the method steps of claim 5. 
Claim 15 recites substantially the same limitation as claim 5 and is therefore rejected 
on the same basis as that claim. 

As for claim 34, Cowie teaches the apparatus according to claim 15, wherein the 
one or more predetermined file types are a graphics editor ([0030]: WIN32 PE file type 
includes graphics editors). 

As for claim 16, Cowie teaches the apparatus of claim 1 1 wherein the partial 
section of code comprises a start of the computer file, and wherein files having a 
prearranges initial byte sequence are excluded for comparison (fig. 6 element 32, 
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[0030]: file header is examined to determine if the file is a WIN32 PE file, a byte 
sequence is inherent for any such sequence of digital data). 

As for claim 19, Cowie teaches the apparatus according to claim 1 1 wherein the 
one or more files comprise polymorphic files (fig. 5 element 16, [0048]: Trojan 
containing files include polymorphic malware). 

As for claim 20, Cowie teaches the apparatus according to claim 1 1 wherein one 
or more predetermined files are not indicated despite containing code which matches a 
signature ([0048], [0050]: non WIN32 PE files excluded). 

As for claim 31 , the claim is directed towards a computer program product that 
directs a processor to carry out the method of claim 1 . Claim 31 recites substantially the 
same limitations as claims 1 and is therefore is rejected on the same basis as that 
claim. 

As for claim 22, Cowie teaches the computer-program product of claim 1 1 further 
comprising identifying a steganographic item responsible for the match ([0048] - [0050]: 
Trojan signature). 



As for claim 24, Cowie teaches the computer-program product of claim 1 1 , 
wherein the signature comprises a continuous sequence of program code but not more 
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than 5% or less than 0.167% of the program (fig. 5: element 18, [0015], [0034], [0048]: 
header data is used for the signature). 

As for claim 25, Cowie teaches the computer-program product of claim 31 
wherein an asserted file type is not compared with the signature ([0048], [0050]: non 
WIN32 PE files excluded). 

As for claim 26, this claim is directed towards the computer-program product that 
directs a processor to carry out the method of claim 16. Claim 26 recites substantially 
the same limitations as claim 16 and is therefore rejected on the same basis as that 
claim. 

As for claim 29, this claim is directed towards the computer-program product that 
directs a processor to carry out the method of claim 9. Claim 29 recites substantially 
the same limitations as claim 9 and is therefore rejected on the same basis as that 
claim. 

As for claim 30, this claim is directed towards the computer-program product that 
directs a processor to carry out the method of claimlO. Claim 30 recites substantially 
the same limitations as claim 10 and is therefore rejected on the same basis as that 
claim. 
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As for claim 32, Cowie teaches the computer-readable medium of claim 31 , 
wherein the method further comprises executing the one or more files, and wherein the 
comparison is made prior to executing the one or more files ([0030]-[0031]: 
identification of banned game programs prior to being run on a business computer). 

As for claim 33, Cowie teaches the method of claim 1, further comprising running 
a virus checking program while comparing the signature with one or more computer 
files (fig. 5: element 18, [0015], [0034], [0048]: the signature comparison algorithm of 
Cowie is an anti-viral program). 

As for claims 8, 18, and 28, each of these claims is directed to the case where 
the file is a deleted or logical wastebasket file. Cowie teaches this feature ([0030]: 
WIN32 PE file type includes such files). 

6. Claim 4 is rejected under 35 U.S.C. 103(a) as being unpatentable over Cowie, 
Atkinson and Richer as applied to claim 1 above, and further in view of Charbonneau, 
US 7,526,654. 

As for claim 4, the combination of Cowie, Atkinson and Richer teaches the 
method according to claim 1 , but not explicitly wherein the code that is read is a .DDL 
file. However, Charbonneau does teach such a feature (col. 5 lines 10-20). Therefore it 
would have been obvious to one of ordinary skill in the art at the time the invention was 
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made to incorporate this feature into the system of Cowie and Richer. It would have 
been obvious to do so since this would extend the types of files where embedded 
malware is detectable via the comparison step of Cowie. 

Allowable Subject Matter 

7. Claims 7, 17, and 27 are objected to as being dependent upon a rejected base 
claim, but would be allowable if rewritten in independent form including all of the 
limitations of the base claim and any intervening claims. 

Conclusion 

8. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Paul E. Callahan whose telephone number is (571) 272- 
3869. The examiner can normally be reached on M-F from 9 to 5. 

If attempts to reach the examiner by telephone are unsuccessful, the Examiner's 
supervisor, Emmanuel Moise, can be reached on (571) 272-3865. The fax phone 
number for the organization where this application or proceeding is assigned is: (571) 
273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
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you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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/Emmanuel L. Moise/ 

Supervisory Patent Examiner, Art Unit 2437 



